Sigma Scanning with THOR

Our compromise assessment scanner THOR is able to apply Sigma rules during the local Eventlog analysis. This can help any customer that has no central SIEM system or performs a live forensic analysis on a system group that does not report to central monitoring. 

By running THOR on these systems with activated Sigma feature, THOR becomes a kind of a distributed and portable SIEM.

Since the Sigma scan module isn’t active by default, we thought it a good idea to explain how to activate an use it in the best possible way. 

Open Source Rule Set

By default THOR uses the open-source Sigma rule set with more than 500+ rules provided by the Sigma project on their Github page

Since our head of research is also one of the project maintainers, it was reasonable to combine the detection capabilities of Sigma with THOR’s scanning functionality on the endpoint. 

We comply with Sigma’s DRL (Detection Rule License) by including the rule authors in the event data produced by these rules.  

Custom Sigma Rules

You can easily add you own Sigma rules by placing them in the “./custom-signatures/sigma” sub folder.

THOR’s Sigma Config

The THOR default configuration for Sigma can be found in the Sigma repository. 

This configuration shows you, which Windows Eventlogs and Linux/Unix log files get analyzed by the Sigma module in THOR.

 

Sigma Scanning

To activate the Sigma module simply use the “–sigma” flag (or “sigma: True” in a YML config file).

You can start a THOR scan that analyzes the local Eventlog and activates the Sigma feature with:

thor64.exe -a Eventlog --sigma

To run a Sigma scan on a single Eventlog e.g. Sysmon’s log, use the “-n” flag.

thor64.exe -a Eventlog --sigma -n "Microsoft-Windows-Sysmon/Operational"

To include the Sigma feature in a standard THOR scan and check only the last 3 days of the Windows Eventlogs to reduce the scan duration, use:

thor64.exe --sigma -lookback 3

Sigma Matches

Once a Sigma rule matches on a log entry, you’ll see it listed in one of the REASON’s that lead to the classification of an event. 

The following example shows the detection of a China Chopper (Caidao) ASP web shell. That web shell has been detected by multiple Sigma rules. 

  1. Webshell Detection With Command Line Keywords 
  2. Shells Spawned by Web Servers
  3. Whoami Execution

Getting Started

Since this feature isn’t available in THOR Lite, please contact us via the “Get Started” button in the upper right corner and get a free trial voucher. Most customers that use THOR with Sigma choose one of our THOR license packs, especially the SOC Toolkit Pack, which was geared to the needs of today’s SOC teams. 

New VALHALLA Web Features

The newest update of our popular YARA rule feed named VALHALLA adds new features to its web interface.

The most awaited new feature is a keyword search that allows you to query the database for certain keywords, rule names, reports, MITRE ATT&CK ids or tags.

The result page shows you if VALHALLA already has related rules in its database. 

 

Keyword Search

The search results show all rules in our database related to the search keyword.

You can see the rule name, description, the rule date, a reference URL and a set of links.

The new search function helps you to determine if VALHALLA and THOR already contain rules for a given report or threat. 

New Links

We have integrated new links that lead you to:

  1. the reference listed in the rule (report, source)
  2. a Virustotal lookup for that rule / sample
  3. a detailed info page for that specific rule

Rule Info Pages

The rule info page contains all the details to a certain rule. These include all metadata values liks score, tags, reference links, required YARA version and modules, the rule date and the average AV detection ratio.

Two additional tables include all antivirus verdicts for samples on which that rule has matched and a list of all observed samples with links to Virustotal. 

 

Community Rule Info

We’ve also added notes on the 2400+ rules that are available as open source in the signature-base repository on github, e.g. try SUSP_LNK_Big_Link_File.

Category Counts

A new table on the start page informs users about the rules per subscribable category. 

Also note that queries of any type to Valhalla are rate limited. Too many requests in a relatively short time frame will lead to complete blocks as well as a high amount of requests over a longe time period and other suspicious activity. Customers can get their source IP addresses whitelisted on request. 

The new version will be deployed in the coming days.

Web Proxy Event Analysis Cheat Sheet

The “Web Proxy Event Analysis Cheat Sheet” can help SOCs and security analysts classify proxy events (blocks, alerts) and is based on my ideas and many ideas from experts that helped me collect detection ideas for this document.

You can download version 1.0 here.

We also recommend checking Sigma’s “proxy” section for detection rules that can be used to detect threats in web proxy or similar logs as long as they contain web connection information (EDR, HIDS etc.).

 

Web Proxy Event Analysis Cheat Sheet

Upcoming Master ASGARD v2

In the first week of June, we plan to release Master ASGARD v2.

Master ASGARD is an ASGARD version that is able to connect to and control an unlimited number of ASGARD servers.

While each ASGARD supports 25,000 connected endpoints, a Master ASGARD server can control an theoretically unlimited amount of ASGARD servers and thus an unlimited amount of end systems. We plan to support installations with up to 500,000 end systems until we get confirming performance and system load statistics from our customers’ setups.

With Master ASGARD v2 we will also change the way in which you install Master ASGARD.

From now on the ASGARD platform can be upgraded to a Master ASGARD by the installation of special license. You simply upgrade an already installed ASGARD to a Master ASGARD.

Master ASGARD 2 features

  • MISP integration and IOCs triage scans on all connected endpoints
  • Remote Console on all connected endpoints
  • Playbook runs on all connected endpoints
  • Evidence collection from all connected endpoints
  • License management for all connected ASGARDs
  • Key material backup of all connected ASGARDs
  • THOR version management of all connected ASGARDs

Master ASGARD 2 does not support

  • direct upgrade from Master ASGARD version 1
  • the control of ASGARDs running on version 1

Please contact sales@nextron-systems.com for more information on Master ASGARD v2.

 

Upcoming Changes in THOR v10.5

PE Sieve Integration

With the integration of @hasharezade‘s PE Sieve project THOR is able to detect and report a variety of process implants like replaced or injected portable executables (process hollowing), injected shellcodes, hooks and in-memory patches.

Naturally, since @hasharezade’s project is an open source project, this feature will also be available in THOR Lite, the free version of THOR. 

Process Dumps

THOR v10.5 creates a process dump of any process that is considered suspicious or malicious. 

This process dump can then be analyzed with standard tools later to examine the findings. Use the flag “–dump-procs” to activate this feature.

To prevent excessive disk space usage, new dumps overwrite old dumps of the same process. Also, THOR stores the dumps in a compressed form and will not generate dumps if less than 5 GB disk space is available. 

Global Module Lookback

The current “–lookback” option allows you to restrict the Eventlog and log file scan to a given amount of days. E.g. by using “–lookback 3” you instruct THOR to check only the log entries that have been created in the last 3 days.

We’ve extended this feature to include all applicable modules, including “FileScan”, “Registry”, “Services”, “Registry Hives” and “EVTX Scan”. By setting the flags “–global-lookback –lookback 2” you instruct THOR to scan only elements that have been created or modified during the last 2 days. This reduces the scan duration significantly.

On our test systems, we were able to reduce the scan duration of a full filesystem scan and a lookback of three days to less than 4 minutes.

LNK File Parser

The link file parser module processes .lnk files, extracts relevant data and gathers more information on the linked contents. It also applies the anomaly detection methods to its contents to allow the detection of unknown threats. 

 

More Changes

  • Default output files include a timestamp and not just the date
  • Outputs include non-ASCII characters in a hex encoded form (use –ascii to revert to ASCII only output)
  • THOR DBs “–resume” feature is deactivated by default and has to be manually activated using “–resume” due to significant performance implications caused by updating resume states in THOR DB 
  • New –portal* flags allow the licenses generation at runtime using our Netxron portal API
  • New –yara-max-strings-per-rule flag limits the output of matching strings
  • New –nofserrors flag suppresses all error messages regarding access permissions
  • New –scanid-prefix allows users to set a custom prefix to allow the identification of group of scans
  • New –print-signatures flag lists names and meta data of all included YARA and Sigma rules

End-of-Life ASGARD v1 and Master ASGARD v1

Nextron announces the end-of-sale and end-of-life dates for the ASGARD version 1 and Master ASGARD version 1. The last day to order the affected product(s) is May 31, 2020. Customers with active service contracts will continue to receive support as shown until June 30, 2021.

End of Life Announcement Date The date the document that announces the end-of-sale and end-of-life of a product is distributed to the general public. 22.05.2020
End of Sale Date The product is no longer for sale after this date. 31.05.2020
End of Software Maintenance The last date that Nextron may release any final software maintenance releases or bug fixes. After this date, Nextron will no longer develop, repair, maintain, or test the product software. 31.05.2021
Last Date of Support The last date to receive applicable service and support for the product as entitled by active service contracts or by warranty terms and conditions. After this date, all support services for the product are unavailable, and the product becomes obsolete. 31.06.2021

New VALHALLA Features That You Might Have Missed

Rule Info Pages

The new rule info pages allow you to get more information on a certain rule. You can find all the meta data, as well as past rule matches and previous antivirus verdicts.

A second tab contains statistics. 

You can also report false positives that you’ve encountered with that rule using the button in the tab bar. 

Note that the rule info lookups in the web GUI are rate limited. If you query rule infos too often, you get blocked.

The rule info pages can be access using this URL scheme: 

https://valhalla.nextron-systems.com/info/rule/RULE_NAME

For example:

https://valhalla.nextron-systems.com/info/rule/HKTL_Empire_ShellCodeRDI_Dec19_1

 

Rule Info & Hash Info

The rule info and hash info API endpoints are available for customers with valid API key only.

The API is not rate limited.

Customers can find information on how to use these end points here.

 

Automated Tagging

The automated tagging has been extended to included MITRE ATT&CK threat actor group IDs. 

Status Includes Version

The status endpoint now includes a version number.

The version number is an integer value generated from the last update timestamp using a format string “%Y%m%d%H”. This way it is not just a version number that you can compare with you local last change (e.g. “>=”) but also an implicit timestamp.

You can access that endpoint via POST request (/api/v1/status) or Python API’s “get_status()” function.

 

You can find more information on Valhalla on our web page.